I'd like to know if someone has create a correlation rule comparing more
than 2 events in time with "window" operation, Im trying to create a
correlation rule to fire when one single IP generate more than 2 or 3
different IPS events, by now I create a rule that fires when 2 different
events come from the same IP but I cant get this one with 3 different
events from same IP.

for 2 different events

filter(( not isnull(e.CustomerVar010))) flow window(((w.CustomerVar010
!= e.CustomerVar010) and (w.SourceIP = e.SourceIP)),filter(( not

where CustomerVar010 = IPS signature code


edgargc's Profile: https://forums.netiq.com/member.php?userid=620
View this thread: https://forums.netiq.com/showthread.php?t=46616